Bug#829652: qmail-uids-gids: shell setting of qmail users dangerous

Elliott Mitchell Mon, 04 Jul 2016 20:07:02 -0700

Package: qmail-uids-gids
Version: 1.06-5
Severity: important

The shell used for the qmail-uids-gids users is bad, even dangerous.  The
qmail documentation explicitly stated those users should have a shell of
/bin/false.  In the modern era /usr/sbin/nologin might be substituted.


Problem is, the way the qmail-uids-gids was written, the qmail users will
have a shell of /bin/bash, and the error message will suggest a shell of
/bin/sh.

This is VERY bad.  The attached patch fixes this for new installations,
but won't fix the issue for existing installations.  The original script
doesn't really do much for installations that were older either.

This URGENTLY needs to be fixed!


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sig...@m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

--- netqmail-1.06.orig/debian/qmail-uids-gids.postinst	2016-07-04 19:47:23.000000000 -0700
+++ netqmail-1.06/debian/qmail-uids-gids.postinst	2016-07-04 19:52:15.440000000 -0700
@@ -45,13 +45,13 @@
 
   $DEBUG groupadd -g 64010 qmail || return 1
   $DEBUG addgroup --system nofiles || return 1
-  $DEBUG useradd -u 64010 -g nofiles -d /var/lib/qmail/alias alias || return 1
-  $DEBUG useradd -u 64011 -g nofiles -d /var/lib/qmail qmaild || return 1
-  $DEBUG useradd -u 64015 -g nofiles -d /var/lib/qmail qmaill || return 1
-  $DEBUG useradd -u 64016 -g nofiles -d /var/lib/qmail qmailp || return 1
-  $DEBUG useradd -u 64014 -g qmail -d /var/lib/qmail qmailq || return 1
-  $DEBUG useradd -u 64013 -g qmail -d /var/lib/qmail qmailr || return 1
-  $DEBUG useradd -u 64012 -g qmail -d /var/lib/qmail qmails || return 1
+  $DEBUG useradd -u 64010 -s /bin/false -g nofiles -d /var/lib/qmail/alias alias || return 1
+  $DEBUG useradd -u 64011 -s /bin/false -g nofiles -d /var/lib/qmail qmaild || return 1
+  $DEBUG useradd -u 64015 -s /bin/false -g nofiles -d /var/lib/qmail qmaill || return 1
+  $DEBUG useradd -u 64016 -s /bin/false -g nofiles -d /var/lib/qmail qmailp || return 1
+  $DEBUG useradd -u 64014 -s /bin/false -g qmail -d /var/lib/qmail qmailq || return 1
+  $DEBUG useradd -u 64013 -s /bin/false -g qmail -d /var/lib/qmail qmailr || return 1
+  $DEBUG useradd -u 64012 -s /bin/false -g qmail -d /var/lib/qmail qmails || return 1
   # done
   return 0
 }
@@ -83,13 +83,13 @@
 exist yet, this package will add them automatically.
 
 /etc/passwd:
-alias:x:64010:XXXXX:qmail alias:/var/lib/qmail/alias:/bin/sh
-qmaild:x:64011:XXXXX:qmail daemon:/var/lib/qmail:/bin/sh
-qmails:x:64012:64010:qmail send:/var/lib/qmail:/bin/sh
-qmailr:x:64013:64010:qmail remote:/var/lib/qmail:/bin/sh
-qmailq:x:64014:64010:qmail queue:/var/lib/qmail:/bin/sh
-qmaill:x:64015:XXXXX:qmail log:/var/lib/qmail:/bin/sh
-qmailp:x:64016:XXXXX:qmail pw:/var/lib/qmail:/bin/sh
+alias:x:64010:XXXXX:qmail alias:/var/lib/qmail/alias:/bin/false
+qmaild:x:64011:XXXXX:qmail daemon:/var/lib/qmail:/bin/false
+qmails:x:64012:64010:qmail send:/var/lib/qmail:/bin/false
+qmailr:x:64013:64010:qmail remote:/var/lib/qmail:/bin/false
+qmailq:x:64014:64010:qmail queue:/var/lib/qmail:/bin/false
+qmaill:x:64015:XXXXX:qmail log:/var/lib/qmail:/bin/false
+qmailp:x:64016:XXXXX:qmail pw:/var/lib/qmail:/bin/false
 /etc/group:
 qmail:x:64010:
 nofiles:x:XXXXX:

Bug#829652: qmail-uids-gids: shell setting of qmail users dangerous

Reply via email to